There are two funky commands that can help us see who’s currently logged in, and what operations were performed last. Those two commands are who and last.
Let me show you how to use them.
The who command
Type who at the command prompt and you’ll see a list of currently logged-in users:
who versluis tty1 2015-11-19 11:21 (:0) root pts/0 2015-11-19 11:46 (10.0.1.55)
This system has two users logged in: versluis, via TTY, and root via PTS. We also get to see which IP addresses these users are logged in from (:0 is localhost).
On this note, TTY is the local text based terminal at the machine, while PTS is a pseudo-terminal. This is most likely an SSH session or similar, anything that’s happening remotely.
who can also show us who we are, in case you’re ever logged in on a system and don’t know which user you are:
who am i your-username-here
You can also concatenate who am i into whoami.
The last command
The last command can take a moment to execute and will show a list similar to this:
last versluis tty1 :0 Tue Feb 10 18:54 - down (4+13:11) reboot system boot 2.6.32-504.8.1.e Tue Feb 10 18:51 - 08:05 (4+13:14) root pts/1 10.0.1.43 Tue Feb 10 16:33 - 16:44 (00:10) root pts/0 10.0.1.52 Tue Feb 10 11:36 - down (07:13) versluis pts/0 :0.0 Tue Feb 10 11:35 - 11:35 (00:00) versluis tty1 :0 Tue Feb 10 11:29 - down (07:20) reboot system boot 2.6.32-504.8.1.e Tue Feb 10 11:27 - 18:50 (07:22) root tty1 Tue Feb 10 11:16 - down (00:09) reboot system boot 2.6.32-504.8.1.e Tue Feb 10 11:15 - 11:25 (00:10) reboot system boot 2.6.32-504.8.1.e Tue Feb 10 10:59 - 11:25 (00:26) root tty1 Tue Feb 10 10:29 - down (00:28) reboot system boot 2.6.32-504.el6.i Tue Feb 10 10:28 - 10:58 (00:29) wtmp begins Tue Feb 10 10:28:53 2015
You can see who has logged in to the system recently, from which IP address, and when each session started and finished. You can also see when the system was last restarted (and in Linux, which Kernel was used to do so).
The last line (on Linux, beginning with wtmp) shows since when the command was able to display results. last and who both read a file called wtmp (in /var/log/wtmp), which logs all login attempts over time.
last accepts several filtering options too. For example, to query when a particular user has logged on and off, type last followed by the username:
last versluis versluis tty1 :0 Thu Nov 19 11:21 still logged in versluis tty1 :0 Tue Nov 17 12:44 - 22:32 (09:48) versluis tty1 :0 Tue Nov 17 11:13 - down (01:29) versluis tty1 :0 Sat Oct 31 23:35 - crash (16+12:37) versluis tty1 :0 Sun Aug 9 09:09 - down (83+14:24) versluis tty1 :0 Tue Jun 30 18:03 - down (39+15:04) versluis pts/0 10.0.1.52 Thu Feb 19 14:41 - 18:34 (03:52)
Or if you’re only interested in restarts:
last reboot reboot system boot 2.6.32-573.8.1.e Thu Nov 19 11:20 - 12:02 (00:41) reboot system boot 2.6.32-573.8.1.e Tue Nov 17 12:43 - 12:02 (1+23:18) reboot system boot 2.6.32-573.7.1.e Tue Nov 17 11:12 - 12:42 (01:29) reboot system boot 2.6.32-573.7.1.e Sat Oct 31 23:34 - 12:42 (16+14:07) reboot system boot 2.6.32-573.1.1.e Sun Aug 9 09:08 - 23:33 (83+14:24) reboot system boot 2.6.32-504.23.4. Tue Jun 30 18:02 - 09:07 (39+15:05) reboot system boot 2.6.32-504.8.1.e Sun Feb 15 11:30 - 09:07 (174+20:37)
On OS X the output is somewhat more limited due to the absence of kernels, but it works just the same. For more information on each command, checkout the man pages with man last and man who.